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(54) File Access Security Method and Means 



fiJ^! impr °^? fi,e acc f ss securit Y technique and associated apparatus 9 accesses data which is stored at 
kev a n^£pc r a Ti U 5 °"tf "Potion ke V and restores the data re-encrypted under another encryption 
key, and produces at 1 9 a record of each access and data re-encryption both as the control source of 
encryption keys for access and re-entry of encrypted data and as a secured audit record of users that had 
access to each file. v 
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SPECIFICATION 

File Acc ss Security Method and Apparatus 

This invention is concerned with a method of 
and apparatus for securing data files in storage. 
5 Many known computer-controlled operations 
on secured data files require verification of the 
identity of an individual seeking to access a file 
before the data (usually in encrypted form) can be 
accessed (see, for example, U.S. Patents 

10 3,938,091, 3,587,051, 3,61 1,293 and 

4,1 98,61 9). In addition, many known record- 
securing schemes including those associated with 
credit cards, require verification of both the 
authority of the using individual and the 

1 5 authenticity of the data in the record, to protect 
against unauthorized users and against 
counterfeit or duplicate records. Schemes of this 
type are disclosed in U.S. Patents 4,304,990, 
4,328,41 4 and 4,357,429. 

20 One disadvantage associated with computer- 
controlled security schemes of these types is that 
there is typically no indication left on file of who 
gained access to a secured record. 

The present invention provides a method of 

25 securing data files in storage against unauthorized 
access, the method comprising the steps of 
encrypting file data as a selected logical 
combination thereof with an initial one of a 
plurality of encryption key codes to produce file 

30 data in encrypted form for storage at selected file 
address locations, establishing a record of 
accesses to each selected file address location 
and the one of the plurality of encryption key 
codes with which the file data at the address 

35 location is encrypted, processing a request for 
access to file data at a selected file address 
location by determining from the record the 
number of prior accesses thereof and the 
encyrption key code associated therewith, 

40 decrypting file data at the selected file address 
location using said associated encryption key 
code, re-encrypting file data for said selected file 
address location using a new one of said plurality 
of encryption key codes in said selected logical 

45 combination, storing the newly re-encrypted file 
data at the accessed file address location, and 
modifying the record to Indicate an additional 
access to the selected file address location and 
the new encryption key code associated 

50 therewith. 

In performing a method as set forth In the last 
preceding paragraph, it is preferred that in 
carrying out the step of decrypting, file data at a 
selected filed address location is decrypted using 
55 said initial encryption key code in response to 
determination from the record that said selected 
file address location was not previously accessed. 

A method as set forth in either one of the last 
two immediately preceding paragraphs may 
60 further comprise the additional steps of 

establishing a file of user access authorizations, 
and prior to accessing a selected file address 
location, determining the authorization status of a 
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user to gain access to the selected file address 
65 location. 

A method as set forth in the last preceding 
paragraph may further comprise the additional 
step of selectively altering the access 
authorization of a user to gain subsequent access 
70 to the selected file address location in response to 
re-encryption of the file data for storage at the 
selected filed address location. 

A method as set forth in any one of the last 
four immediately preceding paragraphs may 
75 further comprise the steps of reinitializing all the 
file data by decrypting the file data at each 
selected file address location using the encryption 
key code thereof determined from the record, and 
re-encrypting the file data at each such file 
80 address location using a new initial one of a 
plurality of key codes. 

In performing a method as set forth in the last 
preceding paragraph, it is preferred that in 
carrying out the reinitialization step, the file data 
85 at any file address location which is not indicated 
in the record to have been accessed previously is 
decrypted using the initial encryption key code. 

The present invention also provides apparatus 
for securing data filed in storage against 
90 unauthorized access, comprising storage means 
for storing file data in encrypted form at 
selectable file address locations, encryption 
means for supplying encrypted file data to a 
selected file address location as the logical 
95 encoding combination of file data and an 

encryption key signal applied thereto, generator 
means for applying selected encryption key 
signals to the encryption means, record means for 
producing indication of selected file address 

1 00 locations and key code signals associated with 
encryption of file data stored therein, circuit 
means responsive to indemnification of a selected 
file address location for determining from said 
record means the encryption key signal 

1 05 associated therewith for setting the generator 
means to supply the associated encryption key 
signal, decryption means disposed to receive 
encryption key signals from the generator means 
and encrypted file data from the storage means 

1 1 0 and operable in accordance with said logical 
encoding combination to decrypt the file data at 
said selected file address location, and means 
operable upon the decrypted file data for altering 
the generator means to supply a new encryption 

115 key signal for re-storing the file data at the 
selected file address location newly encrypted 
with a new encryption key signal, said means 
altering the record means to produce an 
indication of the new encryption key signal 

1 20 associated with file data in the selected file 
address location. 

In apparatus as set forth In the last preceding 
paragraph, it is preferred that said circuit means is 
responsive to the indication in said record means 

1 25 that a selected file address location was not 
previously accessed for setting said generator 
means to supply the initial encryption key signal 
to the decryption means. 
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update the access authorization information in 
storage in the memory means 1 5 in response to 
authorizations granted, and to generate historic 
files In encrypted form of the encryption keys 
5 used to decrypt and re-encrypt each file accessed 
from the memory means 17. In addition, the 
module 9 operates In a controlled reinitialization 
mode to restore alt files in the memory means 1 7 
to a new r standard encryption key after numerous 

1 0 accesses of files In the memory means 1 7 have 
been authorized. The number of accesses before 
requiring reinitialization is determined by the 
memory capacity in the module 9. 

Referring now to Rgures 2 and 3 in addition to 

1 5 Rgure 1 , there are shown a flow chart and a block 
diagram, respectively, illustrating the operation of 
the system of Figure 1 under control of a central 
processing unit 1 1 . In operation, a person or 
entity, R, requesting access to a particular file may 

20 enter personal identification numbers, information 
about the particular file, and the like, via the 
keyboard controller 1 3. Optionally, a personal- 
Identity verification routine may be performed in 
conventional manner (as disclosed, for example, 

25 in U.S. Patent 3,938,091 or 4,198,61 9) and the 
access-authorization files in the memory means 
1 5 may be searched for authorization to access 
the requested file. All such files in memory means 
1 7 are initially encrypted with an initial key code, 

30 Kq, In a conventional manner (for example, using 
the Data Encryption Standard module available 
from the /Vational bureau of Standards) by 
encrypting the file data In an encryption module 
2 1 with key code, Ko, from a key code generator 

35 23. 

With authorization established 25, the 
particular file #X may be accessed, but decrypting 
the file #X requires the correct key code. For this 
purpose, a key-usage control file 1 9, later 

40 described herein in detail, is searched to 

determine if the file #X was previously accessed. 
The conditions of prior access, namely, that it 
was, or it was not previously accessed, are 
possible, tf It was not, then file #X will not appear 

45 in the key-usage control file, an Indication that it 
appears in storage provided by the memory 
means 17 encrypted with the initial key code, 
The key code generator 23 Is capable of 
generating a sequence of different key codes Ko, 

50 K, K 2 , K 3 . . . K n and is set to supply key code Ko to 
a decryption module 27 (which, of course, may be 
the same type of DES module, or may be the 
same module, as the encryption module 21 ). The 
requested file #X may therefore be decrypted In 

55 conventional manner using the key code K 0 to 
provide accessed data 29 In clear text. The data is 
then returned to storage, either without or with 
new data modifications 31 that reflect a data- 
oriented transaction such as sale, deposit, 

60 withdrawal, or the like, and is re-stored in 

encrypted form using a new key code K t . This is 
accomplished by resetting 38 the key code 
generator 23 to supply the key code K, to the 
encryption module 21 and returning the data 33 

65 with or without modifications for encryption in the 



module 21 with the key code K r In addition, the 
key-usage control file 1 9 is updated to reflect that 
the file #X was accessed and now resides in 
storage newly-encrypted with the new key code 
70 K 1 in the sequence. Further, the access- 
authorization in the memory means flies 1 5 may 
be updated optionally to inhibit further access to 
file #X by user R, for example, to inhibit R's 
further access until a "new date", or until 
75 accessed by another user, or the like. Subsequent 
access to file #X by user R, if continuously 
authorized, or by any other user must be via 
decryption with the key code K r 

If file #X was previously accessed, then the 
80 key-usage control file 1 9 will contain the entry of 
file #X having been previously accessed and 
returned to storage encrypted with a new key 
code K v K 2 . . . K n , depending upon the number of 
previous accesses to file #X. Thus, with reference 
85 to the chart of Figure 4 which illustrates the 
typical entries in the key-usage control file 1 9, if 
• file #X is file #001 00, then the previous accesses 
to this file resulted in its being re-stored 
encrypted with key code K 2 (at entry 37). The 
90 search of the key-usage control file 1 9 thus 
indicates that file #001 00 was previously 
accessed twice and now requires decryption with 
key code K 2 . If authorization of the requesting 
user is still valid 39, then the key code generator 
95 23 is set to supply the key code K 2 to the 

decryption module 27 in order to furnish the data 
in this file in clear text 29. Re-storing the data 
from this file In modified or unmodified form is 
accomplished by resetting 38 the key code 

1 00 generator 23 to supply the key code K 3 (entry 41 
in Figure 4) to the encryption module 21 for 
encryption therein of the returned data with the 
new key code K 3 . All retrievals of data in storage 
in the memory means 1 7 may be by destructive 

1 05 read of Information in the addressed file so that 
data for restoring therein may be written in in the 
newly-encrypted form. After numerous accesses 
to files in storage in the memory means 1 7, the 
key-usage control file 1 9 will typically include 

1 10 entries as illustrated in Rgure 4. Such a file 

optionally may also include codes to identify the 
particular users who gained access to each file. 
The file 1 9 thus provides an audit record of the 
accesses to the files in the memory means 1 7. In 

1 1 5 addition, the key-usage control file 1 9 is in 

encrypted form since it neither reveals the data in 
storage In the memory means 1 7 nor the actual 
key codes K, ... K n (only generated by the 
generator 23) required to decrypt the data in 

1 20 storage. Further, the key codes Ko . . . K n which 
serve as file-protect codes can be generated 
internally in conventional manner, for example, by 
a random-number generator 23 and therefore 
need not be known to anyone. 

1 25 After numerous accesses to the data in storage 
1 7 which approaches the limit of the sequence of 
key codes for any particular file, or on a periodic 
basis, the entire collection of files in storage 1 7 
may be re-encrypted with a new initial key code 

1 30 K/ of a sequence of new key codes Ko', K/ . . . K n ' 



1 0. Apparatus according to either one of 
claims 7, 8 and 9 and further comprising: 

access record means for storing data 
representative of the authorization of users 
5 to selectively access file data in said storage 
means; and 
means disposed to receive identification data 
from a user, and coupled to said circuit 
means for inhibiting the generator means 
1 0 from supplying an encryption key signal to 
said decryption means for an unauthorized, 
identified user. 

1 1. Apparatus according to claim 10 comprising 
means responsive to re-storing of file data at the 

1 5 selected file address location newly encrypted with a 
new encryption key signal for altering the identified 
user's authorization In said access record means to 
access said selected file address location. 

12. Apparatus according to claim 8 comprising 
20 Initializing means coupled to said generator 

means, said encryption means and decryption 
means and to said record means for setting the 
generator means to selectively decrypt file data in 
each file address location using the encryption 

25 key signals from said generator means 

established from the record means for each such 
file address location, and for re-encryptlng the 
decrypted file data for each file address location 
using a new Initial encryption key signal for 

30 restorage at the respective file address location. 

13. Apparatus according to claim 1 2 wherein 
said initializing means responds to indication from 



said record means of no previous access to a 
selected file address location for decrypting file 
35 data therein in using an initial encryption key 
signal and for re-encrypting the decrypted file 
data using a new initial encryption key signal to 
re-store the newly encrypted file data at the 
respective file address location. 
40 1 4. Apparatus for securing data files in storage 
against unauthorized access substantially as 
hereinbefore described with reference to the 
accompanying drawings. 

1 5. A file access record produced by a process 
45 comprising the steps of: 

storing at selected file address locations file 
data that is encrypted as the logical 
combination of file data and selected ones of 
a plurality of encryption key signals; 
50 decrypting file data at a selected file address 
location using the encryption key signal 
associated therewith in accordance with said 
logical combination; 
re-encrypting the decrypted file data as a 
55 logical combination thereof and a new 

encryption key signal for restoring at the 
corresponding file address location; and 
producing said file access record as the 
compilation at least of the number of times 
60 each selected file address location was 

decrypted and Information indicative of the 
encryption key signals with which the file 
data at each selected file address location 
was re-encrypted and re-stored therein. 
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